Professional Documents
Culture Documents
Collaboration and Engagement With Appropriate Third Parties: Best Practice Guide
Collaboration and Engagement With Appropriate Third Parties: Best Practice Guide
COLLABORATION AND
ENGAGEMENT WITH
APPROPRIATE THIRD PARTIES
Best Practice Guide
Version 1.2
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
Version History
This is a living document, which will be periodically updated under direction of the Auto-ISAC Best
Practices Working Group. We will track any updates in the table below.
Version Notes:
This Guide does not prescribe or require specific technical or organizational practices.
i These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
Contents
Version History ..................................................................................................................................i
Section 1.0: Introduction ................................................................................................................. 1
1.1 Best Practices Overview ....................................................................................................... 1
1.2 Purpose ................................................................................................................................. 1
1.3 Scope .................................................................................................................................... 2
1.4 Audience ............................................................................................................................... 2
1.5 Guide Development .............................................................................................................. 2
1.6 Authority, Governance, and Maintenance ............................................................................ 3
Section 2.0: Collaboration and Engagement in Vehicle Cybersecurity ......................................... 3
2.1 Relevant Third Parties .......................................................................................................... 3
2.2 “The Openness Spectrum”.................................................................................................... 4
2.3 Risks of Collaboration and Engagement .............................................................................. 5
2.4 Benefits of Collaboration and Engagement .......................................................................... 6
Section 3.0: Best Practices ............................................................................................................. 8
3.1 Methods of Collaboration and Engagement ......................................................................... 8
3.2 Best Practices for Information Sharing ................................................................................. 8
3.3 Best Practices for Events .................................................................................................... 11
3.4 Best Practices for Programs .......................................................................................... 13
Appendix A: Glossary of Terms .................................................................................................... 16
Appendix B: Additional References and Resources .................................................................... 17
Appendix C: Acronyms ................................................................................................................. 19
This Guide does not prescribe or require specific technical or organizational practices.
ii These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
17 1.2 Purpose
18 The purpose of this Guide is to assist heavy and light-duty vehicle OEMs, suppliers and auto
19 industry stakeholders with collaborating and engaging appropriate third parties as part of their
20 vehicle cybersecurity activities.
21 This Guide provides forward-looking guidance without being prescriptive or restrictive. The third
22 party collaboration and engagement (3PCE) best practices are:
23 • Not Required. Organizations have the autonomy and ability to select and voluntarily adopt
24 practices based on their respective risk landscapes.
25 • Aspirational. These practices are forward-looking, and voluntarily implemented over
26 time, as appropriate.
27 • Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving
28 automotive cybersecurity landscape.
This Guide does not prescribe or require specific technical or organizational practices.
1 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
29 1.3 Scope
30 This Guide discusses voluntary 3PCE, which is focused on enhancing vehicle
31 cybersecurity, with third parties across the connected vehicle ecosystem. The Guide will
32 describe the benefits, decision factors, and methods for voluntary 3PCE.
33 These best practices do not encompass actions that are explicitly required by U.S. or international
34 regulations, state laws, or legal agreements between private entities. For example, the Guide
35 does not cover contractually-obligated sharing with suppliers. However, organizations may use
36 these practices to inform voluntary engagement activities they pursue with their suppliers. The
37 Guide also does not include engagement with consumers—as they are not a third party.
38 Examples to clarify scope are listed in Figure 1.
39 1.4 Audience
40 This Guide was written for use by OEMs, suppliers, the commercial vehicle sector, and other
41 vehicle cybersecurity stakeholders who are responsible for developing and executing 3PCE for
42 their organization.
47 The Working Group also coordinated with several external stakeholders while developing this
48 Guide, including NHTSA, NIST, US-CERT, and CERT-CC.
This Guide does not prescribe or require specific technical or organizational practices.
2 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
Industry Partners. Industry partners are organizations that are directly involved in the
design, manufacturing, selling, and maintenance of on-road vehicles. Collaboration and
engagement among industry partners helps enhance awareness of vehicle
cybersecurity matters that may impact their products or services. These groups include
original equipment manufacturers (OEMs), the OEM supply chain (Tiers 1, 2, and 3),
network providers (e.g. telecommunications providers), software providers, service
providers (e.g. consulting firms, security vendors), dealers, carriers, fleet owners and
operators, infrastructure operators (e.g. Smart Cities, V2X), aftermarket manufacturers
and suppliers, and independent repair shops.
Government. Government third parties include U.S. and international agencies that
play a role in the connected vehicle ecosystem. These include U.S. and international
regulatory agencies (e.g. NHTSA), non-regulatory federal agencies, state and local
governments, law enforcement agencies, and intergovernmental agencies (e.g.
INTERPOL). Collaboration and engagement with this group can help foster policy
decisions that enable vehicle cybersecurity advancements.
Academia. This group consists of universities and educational organizations that are
involved in programs, studies, research, and testing related to connected vehicle
products and services. Collaboration with academia is mutually beneficial; Industry is
able to solve current and future cybersecurity challenges while expanding research
opportunities for academic institutions.
This Guide does not prescribe or require specific technical or organizational practices.
3 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
Researchers. This group include the labs, consortia, research organizations, and
individual researchers and hobbyists comprising the “white-hat” connected vehicle
research community. This group conducts vehicle cybersecurity research and testing
on vehicles for the benefit of public safety and awareness. They can help organizations
stay apprised of the most up-to-date findings and leverage researcher expertise to
improve vehicle cybersecurity. 3PCE with the “black-hat” research community is out of
scope for this Guide.
Media. The media includes public content forums and advertising platforms that
showcase automotive-related stories. When content is accurate, the media offers an
effective way to communicate with current and potential customers about vehicle
cybersecurity, raise awareness about threats, and identify and respond to vehicle
cybersecurity-related news.
60 It can be helpful to establish a set of evaluation criteria to help vet and prioritize external third
61 parties, like those listed above, before collaborating and engaging on sensitive topics.
71
This Guide does not prescribe or require specific technical or organizational practices.
4 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
72 At times, organizations may want to maximize 3PCE, but face roadblocks. Examples of these
73 potential roadblocks and sample mitigation strategies include:
74 • Potential Roadblock: Concerns over real or perceived anti-trust issues, and exposure of
75 intellectual property.
76 o Potential Mitigation: Use appropriate anti-trust warnings and create and
77 communicate appropriate non-disclosure agreements (see Section 3.2 for
78 additional measures)
79 • Potential Roadblock: Lack of clarity internally regarding domestic and international
80 regulatory requirements.
81 o Potential Mitigation: Communicate with government relations personnel and
82 regulators to gain clarity regarding expectations. (see Section 3.2 for additional
83 measures)
84 • Potential Roadblock: Concerns over adversarial market exposures.
85 o Potential Mitigation: Establish relationships dedicated to a specific objective with a
86 small set of collaborators to demonstrate value and build trust in third party
87 resources. (see Section 3.4 for additional measures)
88 • Potential Roadblock: Lack of sufficient tools and technology.
89 o Potential Mitigation: Share costs for technical infrastructure that allows for efficient
90 and secure engagement with third parties. (see Sections 3.2 and 3.3 for additional
91 measures)
92 • Potential Roadblock: Lack of proactive measures to establish communications channels.
93 o Potential Mitigation: Establish non-disclosure agreements (NDAs) and mutually
94 identify points of contact for critical third parties
95 The mitigations listed above are just a sample set. Please see the full list of Best Practices below
96 for additional mitigation ideas.
103 • Mismanaged resource allocation leading to deficiencies in other parts of the organization
104 • Sharing of incorrect or misleading information that could burn resources and weakens
105 cyber defense posture
106 • Disruption of established strategy or processes
107 • Accidental disclosure of intellectual property or other sensitive information
108 • Premature exposure of industry vulnerabilities before providing appropriate time for the
109 affected parties to react and mitigate an issue
110 • Increased levels of shared information, requiring time to filter and prioritize issues
111 • Confusion resulting from inconsistent or unclear reporting and response protocols
This Guide does not prescribe or require specific technical or organizational practices.
5 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
112 The Best Practices described in Section 3.0 may help organizations mitigate these risks as they
113 “move right” on the Openness Spectrum.
143 • Developing external relationships that can be leveraged during crisis management
144 • Increasing capacity through outsourcing
145 • Improving quality and design resulting from increased understanding of and attention to
146 internal products
147 • Reducing reliance on singular technology partners, avoiding the “lock-in” effect
148 3PCE pertaining to vehicle cybersecurity can also help organizations to lower costs. Examples
149 of this include:
This Guide does not prescribe or require specific technical or organizational practices.
6 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
This Guide does not prescribe or require specific technical or organizational practices.
7 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
173
FIGURE 3: METHODS OF COLLABORATION AND ENGAGEMENT
This Guide does not prescribe or require specific technical or organizational practices.
8 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
187 • Processes for detecting and protecting against vehicle cybersecurity threats (see
188 forthcoming Threat Detection and Protection Guide)
189 • Processes for finding and resolving vehicle cybersecurity vulnerabilities
190 • Vehicle cybersecurity organizational structure
191 • Research on vehicle cybersecurity
192 • Customer expectations and experiences regarding vehicle cybersecurity
193 • Industry vehicle cybersecurity trends
194 • Litigation trends related to vehicle cybersecurity incidents
195 • Future opportunities to collaborate on vehicle cybersecurity
196 Engage the right internal stakeholders. Vehicle cybersecurity information is often sensitive,
197 urgent, and multi-faceted. It is important to consider timely engagement of a wide variety of
198 internal groups in order to effectively exchange information with external third parties.
199 Internal stakeholders that may play a role when sharing vehicle cybersecurity information with
200 third parties include:
201 • Executive leadership and Board of Directors – for situational awareness and approvals
202 • Vehicle and enterprise IT cybersecurity analysts – for technical analysis, triage, and
203 remediation
204 • Engineering and Design – for supplier and customer coordination and developing and
205 implementing solutions
206 • Safety experts – for awareness of safety-critical issues
207 • Quality assurance experts – for differentiation between mechanical and cyber issues
208 • Communications experts – for internal and external messaging
209 • Public policy experts – for coordination with government liaisons
210 • Legal counsel – for risk mitigation and decision insights
211 • Supply chain experts – for coordination with suppliers and dealers
212 • Manufacturing plant operators – for issues affecting the assembly line
213 • Purchasing – for issues related to outsourced parts and services
214 • Customer service and warranty representatives– for communication with end customers
215 Create processes to take in and act on shared information. Once an organization receives
216 information from a third party, the next step is to ensure that the information goes to the right
217 person(s) for the appropriate action to be taken. Creating and documenting how different types of
218 information is managed and used allows individuals operating within an organization to maintain
219 clear lines of responsibility and authority.
220 Best Practices for collecting and using information shared by a third party include:
221 • Documented processes govern how to manage vulnerabilities, respond to incidents, and
222 protect against threats (See Incident Response Guide, and forthcoming Guides on Risk
223 Assessment and Management, and Threat Detection and Protection)
224 • An established protocol is shared with external third parties to enable consistent sharing
225 of information
226 • Consistent guidelines are used to assess third party information, including validity and
227 trustworthiness of external information
This Guide does not prescribe or require specific technical or organizational practices.
9 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
228 • An established process is used for consistent, secure dissemination and storage of
229 information within the organization
230 • A clear taxonomy enables common understanding internally and with third parties
231 • Legal and regulatory obligations are clearly understood
232 • An accurate vehicle asset inventory—including hardware, software, and code versions
233 and origins—provides rapid insights into production and post-production vehicles
234 • Internal stakeholders understand the organizational structure, including roles and
235 responsibilities of business units, POCs for external groups, and approval requirements
236 • When applicable, there is an ability to take in information through common, standardized
237 formats (e.g. CVE, STIX, TAXII) and via industry-wide forums (e.g. Auto-ISAC Portal)
238 Create processes to push information to external third parties. Before vehicle cybersecurity
239 information can be shared externally, organizations will want to determine how, what, and to
240 whom information is sent. Creating processes to capture and push information will enable timely
241 sharing and limit disclosure risks.
242 Best Practices for pushing vehicle cybersecurity information to third parties include:
243 • Processes for reviewing and approving the information reflect technical, business, and
244 legal perspectives
245 • A common approach and criteria define which third parties would benefit from the
246 information, timeframes for dissemination, mechanisms to share, and roles and
247 responsibilities to develop, review, approve and send the information
248 • Internal documentation and storage policies are based on the type of information and the
249 destination, and align with regulatory requirements
250 • Defined metrics rank information by priority and sensitivity, including an assessment of the
251 information’s impact on vehicle safety and personal privacy
252 • Organizations and third parties have non-disclosure agreements or other confidentiality
253 agreements in place, if necessary, to safeguard information
254 • Organizations are able to push out information through standardized formats (e.g. CVE,
255 STIX, TAXII) and through industry-wide platforms (e.g. Auto-ISAC Portal) as appropriate
256 Acquire appropriate tools and technologies. At times, organizations will want to share
257 information with a very limited number of external parties, while at others, they will want to widely
258 broadcast the information. Some information will need to be kept anonymous, confidential, or
259 secure when it is shared. A suite of information sharing tools will help to accommodate these
260 requirements and allow organizations to engage third parties efficiently and reliably. Sample tools
261 and technologies that may be used to share or receive vehicle cybersecurity information include:
This Guide does not prescribe or require specific technical or organizational practices.
10 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
279 • Incident Response (IR) Exercises. Opportunities to build relationships with response-
280 relevant third-parties through a variety of exercises—including tabletops, wargames, drills,
281 and threat scenario workshops—where participants simulate vehicle cyber incident
282 response processes through a scenario
283 • Cyber Challenges. Challenge-based events—including hackathons and code-athons—
284 in which software developers and/or engineers collaborate to produce a prototype, proof
285 of concept, or cybersecurity solution
286 • Conferences. Formal meetings designed to promote information sharing through
287 presentations, networking, and discussion panels.
288 • Webinars. Remote information sharing sessions led by subject matter experts on a
289 specific topic
290 • Workshops. Collaborative working group sessions that bring together diverse experts to
291 produce specific content (e.g. Best Practices Workshops)
292 • Press Events. Media events designed to share news or announcements
293 As illustrated in Figure 4, each type of event has its own set of potential benefits and value
294 proposition. Some events (e.g. Exercises) provide more value when performed on a regular
295 schedule, while others may be done on a more ad-hoc basis. Organizations may consider an
296 appropriate cadence based on their risk landscape and resources to maximize value and avoid
297 event fatigue or overinvestment.
Cyber Press
Benefits Exercises Conferences Webinars Workshops
Challenges Events
Networking X X X
Capability
Improvement
X X X X X
Process
X X X
Improvement
External
X X X
Communication
Recruitment X X X
Industry
Alignment
X X X
298 FIGURE 4: BENEFITS OF EVENTS
This Guide does not prescribe or require specific technical or organizational practices.
11 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
299 Design and execute 3PCE events. Designing and executing events allows automotive industry
300 organizations to better align events to their specific needs. It may also help to establish the
301 organization as an industry leader in vehicle cybersecurity, improving brand image and recruiting.
302 Sometimes, cybersecurity events can be incorporated into existing events or working
303 relationships to avoid duplication of efforts.
304 Best Practices for designing and executing 3PCE events related to vehicle cybersecurity include:
305 • Invitations are distributed within and across industries to bring together expertise and
306 foster collaboration
307 • Guidelines for participant behavior and use of information controls (e.g. confidentiality,
308 ownership agreements) are clearly articulated and documented
309 • Appropriate legal and ethical oversight is on-hand
310 • Anti-trust statements are read aloud before commencing the event
311 • Consideration is given to relevant international concerns (e.g. policy variations, language
312 barriers, etc.)
313 • Logistics and scheduling enable widespread participation by avoiding conflicting events
314 and largely inconvenient locations
315 • A specific focus of the event is determined and articulated at the beginning of event
316 planning
317 • Appropriate staffing and resources are in place to accommodate the event’s scale
318 • Recognized subject matter experts are invited and able to attend
319 Participate in 3PCE events designed by third parties. Participating in other organizations’
320 events allows automotive industry organizations to benefit from events without committing
321 significant time and resources. It also may help build new capabilities and explore areas outside
322 of an organization’s core competencies.
323 Best Practices for participating in 3PCE events pertaining to vehicle cybersecurity designed by
324 third parties include:
325 • Participants’ roles and responsibilities are aligned with the event’s topic of interest
326 • Participants are aware of anti-trust guidelines
327 • Participants are aware of what they are (and are not) permitted to share with event
328 attendees
329 • Participants are prepared to capture insights from the event and provide a recap to the
330 organization
This Guide does not prescribe or require specific technical or organizational practices.
12 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
This Guide does not prescribe or require specific technical or organizational practices.
13 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
• Skills development
Strategic Talent
Development
• Exchange of ideas
• Recruiting opportunities
367 FIGURE 5: BENEFITS AND OUTPUTS OF PROGRAMS
368 Design and execute 3PCE programs. Designing and executing programs allows automotive
369 industry organizations to better align programs to their needs. It also helps to establish the
370 organization as an industry leader in vehicle cybersecurity, improving brand image and recruiting.
371 Best Practices for designing and executing 3PCE programs with third parties related to vehicle
372 cybersecurity include:
373 • Planning teams are aware of internal confidentiality and privacy requirements and able to
374 communicate them to third parties
375 • There is a process to assess participating third parties’ value proposition and reputation
376 • Programs are designed to acquire different perspectives and additional knowledge within
377 a defined group of organizations
378 • Appropriate business, technical, and legal resources are provided for the program
379 • The program has a defined scope that is unique and relevant to all parties
380 • Organizers consider appropriate incentives and motivations to encourage sufficient
381 participation in the program
382 • Organizers take ownership of the program’s outcomes
383
This Guide does not prescribe or require specific technical or organizational practices.
14 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
384 Participate in 3PCE programs designed by third parties. Participating in other organizations’
385 programs allows automotive industry organizations to benefit from programs without committing
386 significant time and resources. It also may help build new capabilities and explore areas outside
387 of an organization’s core competencies.
388 Best Practices for participating in 3PCE programs with third parties dedicated to vehicle
389 cybersecurity include:
390 • Participants’ roles and responsibilities are aligned with the program’s topic of interest
391 • Participants are aware of anti-trust guidelines
392 • Participants are aware of what they are (and are not) permitted to share with other program
393 participants
394 • Participants have an ability to document and publish program findings either internally or
395 publicly, as appropriate
396 • Participants have defined a process to review program results prior to sharing findings
This Guide does not prescribe or require specific technical or organizational practices.
15 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
TERM DEFINITION
This Guide does not prescribe or require specific technical or organizational practices.
16 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
Naval War College - Using Wargames for Command and Control Experimentation <link>
NTIA - Coordinated Vulnerability Disclosure “Early Stage” Template and Discussion <link>
Open Group –Leveraging Open Trusted Technology Partners in the Supply Chain <link>
Auto-ISAC <link> (For sharing potential vulnerabilities, threats and other information. You are not
required to be a Member to share information with Auto-ISAC. Membership eligibility information is also
available on the link provided.)
CERT-CC <link>
This Guide does not prescribe or require specific technical or organizational practices.
17 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
First.org <link>
Ready.gov <link>
US-CERT <link>
Volpe <link>
404
This Guide does not prescribe or require specific technical or organizational practices.
18 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
This Guide does not prescribe or require specific technical or organizational practices.
19 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
This Guide does not prescribe or require specific technical or organizational practices.
20 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.